{"id":25441,"date":"2022-05-30T09:12:15","date_gmt":"2022-05-30T13:12:15","guid":{"rendered":"https:\/\/devopsnews.online\/?p=25441"},"modified":"2022-05-30T09:12:15","modified_gmt":"2022-05-30T13:12:15","slug":"four-must-know-principles-for-devsecops","status":"publish","type":"post","link":"https:\/\/devopsnews.online\/four-must-know-principles-for-devsecops\/","title":{"rendered":"Four must-know principles for DevSecOps"},"content":{"rendered":"
As digital transformation programs continue to be a firm priority for many CEOs, organizations are increasingly adopting cloud-native architectures to expand their DevOps practices and build developer platforms that drive innovation. However, these rapid development cycles are putting pressure on enterprise security, as developer-led processes are not always aligned with IT security policies and practices.<\/p>\n
The new culture of making developer teams go faster is exposing the platform infrastructure to new types of security vulnerabilities. In fact, according to a recent survey, 52% of companies admitted to cutting back on security measures to meet a business objective, potentially leaving platforms vulnerable to exploitation and cybercrime. In a world where automation thrives, enforcing security policies to run alongside ever faster deployment cycles is a complex challenge.<\/p>\n
Adding to the security challenge is the growing popularity of Kubernetes as a container-orchestration system and the need to build-in developer policies or \u201cguardrails\u201d that establish best practices for developers without slowing them down. Offering flexibility and a declarative code-based experience, Kubernetes has fast become the number one platform of choice among developers for cloud-hosted applications. A 2021 survey by the Cloud Native Computing Foundation found that a staggering 96% of respondents said they are using or are evaluating Kubernetes.<\/p>\n
However, as an open-source technology, Kubernetes is ever-evolving and improving the speed for developers, so security teams must recommend integrated security tooling solutions that can be readily adopted by developer teams and meet their need for automation.<\/p>\n
<\/p>\n
When using Kubernetes, an important remit of container security is to configure and manage machine identities to ensure all workloads are deployed to a cluster with an X.509 digital certificate. Every time a developer spins a microservice, container, or virtual machine up to production, they must assign a digital certificate identity and manage that identity throughout its lifecycle. The rise in cloud-native computing has resulted in an explosion of these machine identities\u2014too many to manage manually.<\/p>\n
Machine identity management solutions can give developers the means to automate the issuance and renewal of high volumes of certificates. But without security policies and tooling to know the configuration status of all these certificates, companies risk allowing vulnerabilities to manifest which exposes their platform systems to attack.<\/p>\n
To address this problem, companies are looking for ways of bringing the security and development teams closer together using new DevSecOps practices. However, this need to marry the skillsets of DevOps and security is not yet delivering the levels of protection organizations need. While 85% of companies say that employing SecOps best practices is an important goal for them, only 35% say that SecOps is an established practice in their organizations.\u00a0As a result, we\u2019re seeing large-scale attacks from cybercrime gangs such as\u00a0TeamTNT, which is becoming known for targeting misconfigured Kubernetes clusters and spreading malware.<\/p>\n
To help drive DevSecOps success, we’ve identified four principles that can make processes easier to follow:<\/p>\n
<\/p>\n
Considering the substantial financial and reputational costs of a cyberattack, security must be a concern for everyone working along the development pipeline. Zero Trust principles are becoming a very acceptable way for security teams to apply policies and best practices. Nevertheless, many development teams still see security as a chore that can prevent them from deploying at speed.<\/p>\n
Developer teams instead want to rely on DevSecOps approaches which recommend security tools and practices that work with automation and fit with current developer processes, allowing them to innovate at speed, improve productivity, and be confident their code is secure.<\/p>\n
By combining the advantages of developer speed with improved security practices, DevSecOps is increasingly focused on the overall Developer Experience to achieve its goals of high levels of automation and security. Improving the Developer Experience is based on ensuring high levels of security and consistency.<\/p>\n
We all need to do everything we can to avoid further damaging attacks. However, as Kubernetes accelerates, new recommendations for security tooling must be made by having a DevEx mindset, and this is the crux that modern DevSecOps can use for improved cloud-native security.<\/p>\n
<\/p>\n
Article written By Steve Judd, Solutions Architect at Jetstack <\/strong><\/em><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" As digital transformation programs continue to be a firm priority for many CEOs, organizations are increasingly adopting cloud-native architectures to expand their DevOps practices and build developer platforms that drive innovation. However, these rapid development cycles are putting pressure on enterprise security, as developer-led processes are not always aligned with IT security policies and practices….<\/p>\n","protected":false},"author":123458,"featured_media":25442,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","pmpro_default_level":"","footnotes":""},"categories":[3480,2,1158],"tags":[67,914,1880,112],"yoast_head":"\n